Data Privacy in Australia

Australia’s Privacy Act of 1988

The Privacy Act of 1988 is the one principal law protecting data privacy in Australia. This law defines various stages like collection, storage, or data usage in the public and private sectors. It was amended first in 2014 and a third time in 2017 to strengthen the data privacy protection terms, given the emergence of social media networks and cybercrime. In April 2022, the Data Availability and Transparency Act 2022, which is part of the Privacy Act 1988, received a consequential amendment in Schedule 1-3. The Office of Australian Information Commissioner (OAIC) and Attorney-General have complete rights to administer these laws related to data privacy in Australia.

Who Must Comply

These laws apply to most of the private sector agencies in Australia. Additionally, government agencies operating on Australian grounds, with $3 million worth of annual turnover, must comply with these principles.

What’s Included in the Privacy Act of 1988

Schedule 1 lists 13 main principles apart from 9 parts covering all necessary data protection and processing cases and scenarios. These principles are commonly termed as Australian Privacy Principles (APPs).

  • Open and transparent personal information management
  • Anonymity and pseudonymity
  • How personal information should be collected in a fair and legal way only after an individual consents to it
  • Terms to deal with unsolicited or unwanted personal details
  • Terms defining the notifications to be sent/received alerting the individual about personal information collected
  • Using or disclosing personal information
  • Direct marketing terms and rights for individuals
  • Disclosure of personal details outside Australian boundaries
  • Disclosure or use of govt. or similar identifiers
  • Acceptable quality standards of the personal information collected
  • Security of consumers’ or individuals’ personal details
  • Rights to access personal information
  • Corrections or modifications to be made in this personal information

Conditions for Small Business Entities to be Protected

  • Must have $3 million in annual turnover
  • Provide health information, excluding employee records
  • Disclose, store, process, or use personal information for a defined service or benefit
  • Must be registered under the Commonwealth contract or,
  • Must be actively registered under a credit reporting body

Individual Rights

The 2020 Act contains 13 Information Privacy Principles (IPP):

  • Know why, how, and who collects/processes your data
  • Opt out of disclosing his/her identity and use a fake name in specific situations
  • Access his/her online maintained personal information, including health-related data
  • Choose not to receive any marketing ads online
  • Seek the opportunity to rectify errors in personal information displayed, stored, or processed online
  • Complain against an agency/entity/organization, private or public (acceptable under this law), if they wrongfully use his/her info


  • State or territory agencies already covered or protected under their state or territory’s legislation
  • Actively registered political parties or their representatives
  • A small business not having up to $3 million annual turnover or unable to meet other small business conditions under this law
  • Current and former employee records maintained and stored by organizations
  • Public schools
  • Individuals acting on their own
  • Media houses or journalist committed to using the information in the public interest and morally abiding by pre-existing privacy laws or standards

The information on this page is provided for educational purposes only and should not be confused with or construed as Annex Cloud’s compliance capabilities or scope. Learn more about Annex Cloud’s enterprise-ready solution, including security, privacy and compliance.

Ready to get started?

Request a demo